Date: 11/18/2024
Severity: Medium
Summary
Over the past three months, we have tracked a campaign, designated redir_pup_apk_dist, involving 1,346 domains redirecting users to sites distributing potentially unwanted Android APK files. These landing pages primarily promote adult or gambling applications and use similar design templates. The initial domain names are typically 5-6 character numeric strings followed by common TLDs like .com or .me. The campaign’s domain registration peaked on November 3, 2024, and often involves a traffic distribution system (TDS) URL in the redirection chain.
Indicators of Compromise (IOC) List
URL/Domain | 18103.me 81055.uk https://18103.me/ qdff.slsxrpx.com 49623.africa 36986.party 35270.me 51979.ac 57243.pink 56269.party 266738.com 315337.com 315738.com 337125.com 631563.com 754838.com 797896.com 856254.com 892636.com 965923.com 971185.com 985586.com qdff.esvsgkp.com qdff.jzmdlly.com qdff.nmhcvyr.com qdff.rmkuaso.com qdff.uqcpcmr.com chabietvietgi12.3wwmi6.my ks883hsggahbc.z0kuj6.top ml01605mlt.fhfghud.top ml31302mlt.ortzj.site ml71603mlt.phooway.top sangroidayjthoichan1111.csoqp0.my terwtwregr.a1lag8.wang uuuuuyuyuyuyuy.w5mokm.top https://uuuuuyuyuyuyuy.w5mokm.top https://uuuuuyuyuyuyuy.w5mokm.top https://56269.party/ https://qdff.nmhcvyr.com:7111/61/cpa16.html https://ml61602mlt.phooway.top:12707/61/?channelCode=cpa16 https://266738.com/ https://qdff.nmhcvyr.com:7111/18/xjiu241.html https://ml61602mlt.phooway.top:12707/18/?channelCode=xjiu241 https://57243.pink/ https://qdff.nmhcvyr.com:7111/61/cpa15.html https://ml71603mlt.phooway.top:12707/61/?channelCode=cpa15 https://985586.com/ https://qdff.nmhcvyr.com:7111/53/yh249.html https://ml01605mlt.fhfghud.top:12708/53/?channelCode=yh249 |
Hash |
1fe237e426b06ad01b6376753cb4e5634d6903184a1bf792d387569c9a3a7b50
70a541aac5fe4bde4267c31ff2b7531b36d158d04175b71ec3ed2dc602345a48
8086783d4cbbabd6163c8ea03b6c80527634d3de10aa1b1955c728a260b28585
c8dc893b6b0f3d00bb80962b77021a668f37c7f8be8f157d678d800652655f8f
440d605f1e24cd3415d51e9c3347f4c6260cfdd9cf35ce66795ec2aca24a1345
b14023b89fd2f57ae73cb81f259a3f2ab04b69d897c8a2c16c310c397d95fb8a
28ec30c95246e3154e820093e24fbd0dd29ede9f272bc7886c33e543f15d241c
c89d8dfdda3c3b667fb45e4f430fc76b5365501b6b7ea7e6eb64149a2da97a85
46fe1a536ee6dd0040efec5f7dc36be30617e9e484a275705760b1f7581cb2cd
2d91356c46bf586ab71377dc44b882e384962d07ee3464e6f76ff9a8a73a9ed9 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "18103.me" or url like "18103.me" or userdomainname like "81055.uk" or url like "81055.uk" or userdomainname like "https://18103.me/" or url like "https://18103.me/" or userdomainname like "qdff.slsxrpx.com" or url like "qdff.slsxrpx.com" or userdomainname like "49623.africa" or url like "49623.africa" or userdomainname like "36986.party" or url like "36986.party" or userdomainname like "35270.me" or url like "35270.me" or userdomainname like "51979.ac" or url like "51979.ac" or userdomainname like "57243.pink" or url like "57243.pink" or userdomainname like "56269.party" or url like "56269.party" or userdomainname like "266738.com" or url like "266738.com" or userdomainname like "315337.com" or url like "315337.com" or userdomainname like "315738.com" or url like "315738.com" or userdomainname like "337125.com" or url like "337125.com" or userdomainname like "631563.com" or url like "631563.com" or userdomainname like "754838.com" or url like "754838.com" or userdomainname like "797896.com" or url like "797896.com" or userdomainname like "856254.com" or url like "856254.com" or userdomainname like "892636.com" or url like "892636.com" or userdomainname like "965923.com" or url like "965923.com" or userdomainname like "971185.com" or url like "971185.com" or userdomainname like "985586.com" or url like "985586.com" or userdomainname like "qdff.esvsgkp.com" or url like "qdff.esvsgkp.com" or userdomainname like "qdff.jzmdlly.com" or url like "qdff.jzmdlly.com" or userdomianname like "qdff.nmhcvyr.com" or url like "qdff.nmhcvyr.com" or userdomainname like "qdff.rmkuaso.com" or url like "qdff.rmkuaso.com" or userdomainname like "qdff.uqcpcmr.com" or url like "qdff.uqcpcmr.com" or userdomainname like "chabietvietgi12.3wwmi6.my" or url like "chabietvietgi12.3wwmi6.my" or userdomainname like "ks883hsggahbc.z0kuj6.top" or url like "ks883hsggahbc.z0kuj6.top" or userdomainname like "ml01605mlt.fhfghud.top" or url like "ml01605mlt.fhfghud.top" or userdomainname like "ml31302mlt.ortzj.site" or url like "ml31302mlt.ortzj.site" or userdomainname like "ml71603mlt.phooway.top" or url like "ml71603mlt.phooway.top" or userdomainname like "sangroidayjthoichan1111.csoqp0.my" or userdomainname like "terwtwregr.a1lag8.wang" or url like "terwtwregr.a1lag8.wang" or userdomainname like "uuuuuyuyuyuyuy.w5mokm.top" or url like "uuuuuyuyuyuyuy.w5mokm.top" or userdomainname like "https://uuuuuyuyuyuyuy.w5mokm.top" or url like "https://uuuuuyuyuyuyuy.w5mokm.top" or userdomainname like "https://uuuuuyuyuyuyuy.w5mokm.top" or url like "https://uuuuuyuyuyuyuy.w5mokm.top" or userdomainname like "https://56269.party/" or url like "https://56269.party/" or userdomainname like "https://qdff.nmhcvyr.com:7111/61/cpa16.html" or url like "https://qdff.nmhcvyr.com:7111/61/cpa16.html" or userdomainname like "https://ml61602mlt.phooway.top:12707/61/?channelCode=cpa16" or url like "https://ml61602mlt.phooway.top:12707/61/?channelCode=cpa16" or userdomainname like "https://266738.com/" or url like "https://266738.com/" or userdomainname like "https://qdff.nmhcvyr.com:7111/18/xjiu241.html" or url like "https://qdff.nmhcvyr.com:7111/18/xjiu241.html" or userdomainname like "https://ml61602mlt.phooway.top:12707/18/?channelCode=xjiu241" or url like "https://ml61602mlt.phooway.top:12707/18/?channelCode=xjiu241" or userdomainname like "https://57243.pink/" or url like "https://57243.pink/" or userdomainname like "https://qdff.nmhcvyr.com:7111/61/cpa15.html" or url like "https://qdff.nmhcvyr.com:7111/61/cpa15.html" or userdomainname like "https://ml71603mlt.phooway.top:12707/61/?channelCode=cpa15" or url like "https://ml71603mlt.phooway.top:12707/61/?channelCode=cpa15" or userdomainname like "https://985586.com/" or url like "https://985586.com/" or userdomainname like "https://qdff.nmhcvyr.com:7111/53/yh249.html" or url like "https://qdff.nmhcvyr.com:7111/53/yh249.html" or userdomainname like "https://ml01605mlt.fhfghud.top:12708/53/?channelCode=yh249" or url like "https://ml01605mlt.fhfghud.top:12708/53/?channelCode=yh249" |
Detection Query 2 |
sha256hash IN ("1fe237e426b06ad01b6376753cb4e5634d6903184a1bf792d387569c9a3a7b50","70a541aac5fe4bde4267c31ff2b7531b36d158d04175b71ec3ed2dc602345a48","8086783d4cbbabd6163c8ea03b6c80527634d3de10aa1b1955c728a260b28585","c8dc893b6b0f3d00bb80962b77021a668f37c7f8be8f157d678d800652655f8f","440d605f1e24cd3415d51e9c3347f4c6260cfdd9cf35ce66795ec2aca24a1345","b14023b89fd2f57ae73cb81f259a3f2ab04b69d897c8a2c16c310c397d95fb8a","28ec30c95246e3154e820093e24fbd0dd29ede9f272bc7886c33e543f15d241c","c89d8dfdda3c3b667fb45e4f430fc76b5365501b6b7ea7e6eb64149a2da97a85","46fe1a536ee6dd0040efec5f7dc36be30617e9e484a275705760b1f7581cb2cd","2d91356c46bf586ab71377dc44b882e384962d07ee3464e6f76ff9a8a73a9ed9") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-15-IOCs-for-redir_pup_apk_dist.txt